Bitnami package
rails
pkg:bitnami/rails
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-54133 | Low | — | >= 5.2.0, < 7.0.9 | 7.0.9 | Dec 10, 2024 | Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. App | |
| CVE-2024-47889 | Med | — | >= 3.0.0, < 6.1.8 | 6.1.8 | Oct 16, 2024 | Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block | |
| CVE-2024-47888 | Med | — | >= 6.0.0, < 6.1.8 | 6.1.8 | Oct 16, 2024 | Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cau | |
| CVE-2024-47887 | Med | — | >= 4.0.0, < 6.1.8 | 6.1.8 | Oct 16, 2024 | Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP To | |
| CVE-2024-41128 | Med | — | >= 3.1.0, < 6.1.8 | 6.1.8 | Oct 16, 2024 | Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted | |
| CVE-2024-32464 | — | >= 7.1.0, < 7.1.4 | 7.1.4 | Jun 4, 2024 | Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2. | ||
| CVE-2024-28103 | — | >= 6.1.0, < 6.1.8 | 6.1.8 | Jun 4, 2024 | Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. | ||
| CVE-2024-26144 | — | >= 5.2.0, < 6.1.8 | 6.1.8 | Feb 27, 2024 | Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to | ||
| CVE-2024-26143 | — | >= 7.0.0, < 7.0.9 | 7.0.9 | Feb 27, 2024 | Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted | ||
| CVE-2024-26142 | — | >= 7.1.0, < 7.1.4 | 7.1.4 | Feb 27, 2024 | Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby | ||
| CVE-2022-3704 | — | — | — | Oct 26, 2022 | A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack re | ||
| CVE-2021-44528 | — | >= 7.0.0-rc2, <= 7.0.0-rc2 | — | Jan 7, 2022 | A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. | ||
| CVE-2020-8163 | — | < 5.0.1 | 5.0.1 | Jul 2, 2020 | The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. |
- affected >= 5.2.0, < 7.0.9fixed 7.0.9
Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. App
- affected >= 3.0.0, < 6.1.8fixed 6.1.8
Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block
- affected >= 6.0.0, < 6.1.8fixed 6.1.8
Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cau
- affected >= 4.0.0, < 6.1.8fixed 6.1.8
Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP To
- affected >= 3.1.0, < 6.1.8fixed 6.1.8
Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted
- CVE-2024-32464Jun 4, 2024affected >= 7.1.0, < 7.1.4fixed 7.1.4
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
- CVE-2024-28103Jun 4, 2024affected >= 6.1.0, < 6.1.8fixed 6.1.8
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
- CVE-2024-26144Feb 27, 2024affected >= 5.2.0, < 6.1.8fixed 6.1.8
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to
- CVE-2024-26143Feb 27, 2024affected >= 7.0.0, < 7.0.9fixed 7.0.9
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted
- CVE-2024-26142Feb 27, 2024affected >= 7.1.0, < 7.1.4fixed 7.1.4
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
- CVE-2022-3704Oct 26, 2022
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack re
- CVE-2021-44528Jan 7, 2022affected >= 7.0.0-rc2, <= 7.0.0-rc2
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
- CVE-2020-8163Jul 2, 2020affected < 5.0.1fixed 5.0.1
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.